While much of the attention this week on the massive number of requests for subscriber information has rightly focused on the government and a legal framework that provides insufficient oversight (and is about to expand warrantless disclosure under Bills C-13 and S-4), the telecom and Internet companies also deserve greater scrutiny. One of the key questions in the document on telecom and Internet provider disclosure practices asked simply:

Do you notify your customers, when the law allows, that their information has been requested, thus giving them an opportunity to contest the request in court?

The answer from every provider: No.

In the United States, major U.S. technology companies are now moving to disclose requests to affected customers, with the Washington Post reporting that they believe that “users have a right to know in advance when their information is targeted for government seizure.” Yet Canadian providers apparently disclose subscriber information hundreds of thousands of times every year but keep their customers in the dark.

Legislative reform is needed that requires telecom and Internet providers to advise affected individuals about warrantless disclosures of their personal information unless a court prohibits them from doing so. Such a requirement would inform Canadians when their information is being disclosed and provide them with the opportunity to contest it if they see fit.

In the meantime, Canadians could also use existing law more aggressively to demand that telecom providers reveal any instances of prior disclosures of their information. The law allows an individual to file a request with an organization for access to their personal information, including any details on past disclosures. Failure to comply would violate Canada’s private sector privacy law. Christopher Parsons of the Citizen Law has created a template for doing just that – the page provides the information Canadians need to file a request and the contact information details for where it should be sent.

14 Comments

Is this really a surprise?I am not sure how much each provider gets paid for access to each record, but I assume it is somewhere between $2 and $10 a record. For 1.2 million requests, it seems like they have quite an incentive to keep the gravy train running without slowing down to “ask permission” or incur any additional costs by notifying customers, supporting those notification, etc.

The only thing they need now is to limit their civil liability; good thing there is an act for that.

Subscribers Disclosing InformationThere was a big to-do about this very issue on television just a few nights ago. The Assistant-Privacy Commissioner has certainly expressed concerns over this, & also it was brought to the attention of the PM, who in turn said something along the lines that warrants ARE required to obtain subscriber information. It seems the right hand doesn’t know what the left hand is doing. Do we honestly think that with all the controversy the Gov’t will actually do something?? I think not.

“Notify”? That’s “reform”?They shouldn’t be disclosing anything without a warrant in the first place, so there should be nothing to notify about.

How about “legislative reform” in the form of “Do not disclose anything to anybody, including the Government, without prior subscriber permission or a court order”? There should be individual and corporate criminal penalties associated with violation, as well as civil liability for any damage to the victim.

And “subscriber permission” means a positive act of giving explicit and specific permission to disclose particular information to identified parties, not some blanket fine print in a contract of adhesion.

Where do I sign up for the class action lawsuit?!The blunt response of the Telcos as stated in your piece is OUTRAGEOUS and deserves IMMEDIATE ACTION, because it is clearly a CRIMINAL VIOLATION OF PRIVACY. Where do I sign up for the class action lawsuit?!

Remember Vic Toews? Maybe it’s time for someone to disclose the Telco’s CEOs’ personal browsing habits and see how they like that!

Top SecretIf CSIS or any other LEA orders a wiretap or production of certain records to support an active surveillance, those requests will be handled by telco staff who have “top secret” credentials – the CEO of the company can’t even know about them. It is illegal for Telco staff to acknowledge the existence of the request, or the existence of the wiretap or records. There is no way they are going to notify the subscriber that CSIS or the RCMP is watching them – that would be illegal and they would go to jail.

why would they respond seriously to a prefab template from private citizens?

Because they want to be re-elected. Besides, even if none of get anything, this is a simple way to express our collective outrage and send a message. The telcos will have to apply resources — they are are legally obliged to reply even if it is refuse. I recommend the template. Its pretty simple to use and most requests can be patched together and submitted by e-mail.

There should be another companion template in the form of a letter to the PMO,

No clearance needed for police requests@Cynic: from personal experience, there is no clearance involved for police requests, at least not in early 2000′s at one major cell phone company. No concern at all from managers that the requests were in clear text, phone number, time period, cell towers involved etc! There will be MANY people involved in handling a request, and likely not all of those work directly for the ‘phone company’, there are many contractors and outsource contracts running those systems.

Clearance required@ the g, If you are referring to the work involved in pulling certain records to fulfill Production Orders then you are correct, there is no special security clearance required. Telco employees are required to keep that information confidential, just as bank tellers must keep the details of your bank accounts confidential and nurses must keep your medical records confidential.

However, when it comes to putting in place wire taps or working on certain government circuits (e.g. department of national defense, CSIS, RCMP, etc.), the Telco staff must have the requisite security clearance.